amadey | 0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

General

Target

file.exe
Size

301KB
MD5

5599f89944adc8ccad21b5ab94d33381
SHA1

8df8ce98cdf2a8cef21e26b03841818c9d522ded
SHA256

0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e
SHA512

a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171
SSDEEP

6144:BWHRhTLdCwcaYsbhO83elSyRG/1dZENASIbNjVveSvdNGf3m:BYBCwssbhOnSy3iBbNpvdk/

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.69

C2

88.218.60.230/Gb2dZz/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

oneetx.exeoneetx.exeoneetx.exeoneetx.exe

pid process

1524 oneetx.exe
636 oneetx.exe
1004 oneetx.exe
1604 oneetx.exe
Loads dropped DLL 2 IoCs

Processes:

file.exe

pid process

1720 file.exe
1720 file.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1168 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

file.exe

pid process

1720 file.exe

pid	process
1524	oneetx.exe
636	oneetx.exe
1004	oneetx.exe
1604	oneetx.exe

pid	process
1720	file.exe
1720	file.exe

pid	process
1168	schtasks.exe

pid	process
1720	file.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

file.exeoneetx.execmd.exetaskeng.exe

description	pid	process	target process
PID 1720 wrote to memory of 1524	1720	file.exe	oneetx.exe
PID 1720 wrote to memory of 1524	1720	file.exe	oneetx.exe
PID 1720 wrote to memory of 1524	1720	file.exe	oneetx.exe
PID 1720 wrote to memory of 1524	1720	file.exe	oneetx.exe
PID 1524 wrote to memory of 1168	1524	oneetx.exe	schtasks.exe
PID 1524 wrote to memory of 1168	1524	oneetx.exe	schtasks.exe
PID 1524 wrote to memory of 1168	1524	oneetx.exe	schtasks.exe
PID 1524 wrote to memory of 1168	1524	oneetx.exe	schtasks.exe
PID 1524 wrote to memory of 1272	1524	oneetx.exe	cmd.exe
PID 1524 wrote to memory of 1272	1524	oneetx.exe	cmd.exe
PID 1524 wrote to memory of 1272	1524	oneetx.exe	cmd.exe
PID 1524 wrote to memory of 1272	1524	oneetx.exe	cmd.exe
PID 1272 wrote to memory of 1664	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 1664	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 1664	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 1664	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 1248	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 1248	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 1248	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 1248	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 1768	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 1768	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 1768	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 1768	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 1152	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 1152	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 1152	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 1152	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 892	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 892	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 892	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 892	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 328	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 328	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 328	1272	cmd.exe	cacls.exe
PID 1272 wrote to memory of 328	1272	cmd.exe	cacls.exe
PID 1516 wrote to memory of 636	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 636	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 636	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 636	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 1004	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 1004	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 1004	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 1004	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 1604	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 1604	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 1604	1516	taskeng.exe	oneetx.exe
PID 1516 wrote to memory of 1604	1516	taskeng.exe	oneetx.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe" /F
3⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\d96cb54b4a" /P "Admin:N"&&CACLS "..\d96cb54b4a" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1664

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
4⤵
PID:1248

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
4⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1152

C:\Windows\SysWOW64\cacls.exe
CACLS "..\d96cb54b4a" /P "Admin:N"
4⤵
PID:892

C:\Windows\SysWOW64\cacls.exe
CACLS "..\d96cb54b4a" /P "Admin:R" /E
4⤵
PID:328

C:\Windows\system32\taskeng.exe
taskeng.exe {E0658B7E-28E3-46A1-8B2C-263F3EFAB71C} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
2⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
2⤵
- Executes dropped EXE
PID:1004

C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
2⤵
- Executes dropped EXE
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
\Users\Admin\AppData\Local\Temp\d96cb54b4a\oneetx.exe
Filesize
301KB

MD5
5599f89944adc8ccad21b5ab94d33381

SHA1
8df8ce98cdf2a8cef21e26b03841818c9d522ded

SHA256
0fbb43983af8733417107190f2d4a66c4d8b6b42d10a54f613d060081f36910e

SHA512
a02bbfcecc55aa12ed16f5ef3db495a77be4ae328260f71a91bd93dcbba4de2f5ff9f0cc66c12e3bdc921a816aec3c1b429700f7a9024fdc2e0e901b87276171

Download Submit
memory/636-72-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1004-81-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1524-73-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1604-90-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1720-66-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/1720-68-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads